Google scraps Pwnium, invites researchers to submit Chrome bugs year-round
Google is scrapping its annual Pwnium hacking competition which has been held for four years in a row at the CanSecWest conference in Vancouver, Canada, but that doesn’t mean that security researchers can’t send their Chrome and Chrome OS exploits to Google and collect a monetary reward.
Chrome Security Team member Tim Willis explained the reasons for the change: for one, not everyone has the means to travel to the CanSecWest conference; secondly, allowing security researchers to submit their bugs year-round is a great means to prevent “bug hoarding.”
“If a security researcher was to discover a Pwnium-quality bug chain today, it’s highly likely that they would wait until the contest to report it to get a cash reward,” Willis pointed out.
“This is a bad scenario for all parties. It’s bad for us because the bug doesn’t get fixed immediately and our users are left at risk. It’s bad for them as they run the real risk of a bug collision. By allowing security researchers to submit bugs all year-round, collisions are significantly less likely and security researchers aren’t duplicating their efforts on the same bugs.”
Pwnium-style bug chains can be reported via the Chrome Vulnerability Reward Program (VRP), and the researchers can be rewarded with as much as $50,000 – if they can compromise a Chromebook or Chromebox with device persistence in guest mode.
Generally, the reward amounts vary depending on the seriousness of the bug, and on the quality of the report the researchers submit.